[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?

Vernon Schryver vjs at rhyolite.com
Mon Feb 24 19:37:33 UTC 2014


> From: Paul Wouters <paul at cypherpunks.ca>

> Note though, that TLSA can pin either the CA or the EE cert. If you pin
> the CA cert, then an attacker could just get _any_ cert from the same CA
> and still subvert you. If you had choosen to pin the EE cert, then the
> attack would have failed completely.

Instead of pinning (certificate useage 1) and so remaining dependent
on and paying to get your certs signed by the pile of fleckless,
insecure commercial CA certs in browsers, why not opt-out of the
commercial PKI fraud entirely with usage 2 or 3?

Besides being more secure with usage 2 or 3, because a rogue CA cert
in those nasty browser piles won't be able to sign your web pages even
while DNSSEC and your pinning TLSA records are blocked, you wouldn't
pay commercial PKI potection money.

Note also that usage 2 or 3 can specify your own self-signed CA
cert, which can simplify your cert management.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list